On 11/08/2017 06:08 PM, Björn 'besser82' Esser wrote:
Hello everyone,
since there has been some discussion in the last time about removing
libcrypt from glibc in some time [1,2,3,4] and splitting it out into a
separate project which can evolve quicker, I'd like to hear your
oppinion about replacing glibc's libcrypt with libxcrypt [5] for Fedora
29 (or 30).
I'd prefer this to happen in Fedora 28 if at all possible.
Anyways, before this can happen, there is still some work to be done
with libxcrypt, like adding a FIPS mode or FIPS compliance in a
different way.
I think the best way to achieve that would be to contribute libxcrypt
(its interfaces and its peculiar build process) to some FIPS-validated
cryptographic libraries, so that the actual algorithms and FIPS mode
logic could be reused from that library.
Otherwise, unless you have experience dealing with FIPS requirements and
getting cryptographic libraries through validation, I strongly recommend
not to work on this at all. If and when we need this downstream, we can
contribute exactly what is needed according to the auditors back
upstream. Personally, I do not have a way to know what the requirements
would be in advance.
Thanks,
Florian